Re: [powershell] Scripting registry queries

Fri, 20 Mar 2015 13:13:33 -0700 

Matt,

I took this, and formatted it so that the statements that begin with
foreach are a single line - got rid of the backticks.

It worked like a champ.

That's really nice - thank you very much.

Kurt

On Fri, Mar 20, 2015 at 12:48 PM, Kelley, Matthew
<kelle...@med.umich.edu> wrote:
> No, that didn't work. Here, I put in some line breaks and this works. 
> Hopefully this is chopped up enough for you:
>
> $Computers = get-adcomputer -filter { name -like "us-it*" } | select Name
>
> #put column names on csv file
> Out-File c:\windows\temp\RegValues.csv -InputObject 
> "ComputerName,RegistryKey,Name,Value" -Append
>
> foreach($computer in $Computers.Name)
> {
>
>  $wmi=[wmiclass]"\\$($computer)\root\default:stdRegProv"
>  foreach($name in 
> ($wmi.EnumValues(2147483650,"Software\Microsoft\Windows\CurrentVersion\Run")).sNames)
>  {"$($computer),Run,$($name)," + `
>  
> $(($wmi.GetExpandedStringValue(2147483650,"Software\Microsoft\Windows\CurrentVersion\Run",$name)).sValue)
>  `
>  | Out-File c:\temp\RegValues.csv -Append}
>  foreach($name in 
> ($wmi.EnumValues(2147483650,"Software\Wow6432node\Microsoft\Windows\CurrentVersion\Run")).sNames)
>  {"$($computer),x64Run,$($name)," + `
>  
> $(($wmi.GetExpandedStringValue(2147483650,"Software\Wow6432node\Microsoft\Windows\CurrentVersion\Run",$name)).sValue)
>  `
>  | Out-File c:\temp\RegValues.csv -Append}
>  foreach($name in 
> ($wmi.EnumValues(2147483650,"Software\Microsoft\Windows\CurrentVersion\RunOnce")).sNames)
>  {"$($computer),RunOnce,$($name)," + `
>  
> $(($wmi.GetExpandedStringValue(2147483650,"Software\Microsoft\Windows\CurrentVersion\RunOnce",$name)).sValue)
>  `
>  | Out-File c:\temp\RegValues.csv -Append}
>  foreach($name in 
> ($wmi.EnumValues(2147483650,"Software\Wow6432node\Microsoft\Windows\CurrentVersion\RunOnce")).sNames)
>  {"$($computer),x64RunOnce,$($name)," + `
>  
> $(($wmi.GetExpandedStringValue(2147483650,"Software\Wow6432node\Microsoft\Windows\CurrentVersion\RunOnce",$name)).sValue)
>  `
>  | Out-File c:\temp\RegValues.csv -Append}
>
> }
>
>
> -----Original Message-----
> From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] 
> On Behalf Of Kelley, Matthew
> Sent: Friday, March 20, 2015 3:39 PM
> To: 'powershell@lists.myitforum.com'
> Subject: RE: [powershell] Scripting registry queries
>
> Try this. You need the escape character to break lines.. `
>
> $Computers = get-adcomputer -filter { name -like "us-it*" } | select Name
>
> #put column names on csv file
> Out-File c:\temp\RegValues.csv -InputObject 
> "ComputerName,RegistryKey,Name,Value" -Append
>
> foreach($computer in $Computers.Name)
> {
>  $wmi=[wmiclass]"\\$($computer)\root\default:stdRegProv"
>
>  foreach($name in `
> ($wmi.EnumValues(2147483650,"Software\Microsoft\Windows\CurrentVersion\Run")).sNames){"$($computer),Run,$($name),"
>  `  + $(($wmi.GetExpandedStringValue(2147483650,"Software\Microsoft\Windows\ `
>  CurrentVersion\Run",$name)).sValue) `
> | Out-File c:\windows\temp\RegValues.csv -Append}
>
>  foreach($name in `
> ($wmi.EnumValues(2147483650,"Software\Wow6432node\Microsoft\Windows\CurrentVersion\Run")).sNames){"$($computer),x64Run,$($name),"
>  `
> + $(($wmi.GetExpandedStringValue(2147483650,"Software\Wow6432node\Micros
> + `
>  oft\Windows\CurrentVersion\Run",$name)).sValue) `
> | Out-File c:\windows\temp\RegValues.csv -Append}
>
>  foreach($name in `
> ($wmi.EnumValues(2147483650,"Software\Microsoft\Windows\CurrentVersion\RunOnce")).sNames){"$($computer),RunOnce,$($name),"
>  `
> + $(($wmi.GetExpandedStringValue(2147483650,"Software\Microsoft\Windows\
> + `
>  CurrentVersion\RunOnce",$name)).sValue) `
> | Out-File c:\windows\temp\RegValues.csv -Append}
>
>  foreach($name in `
> ($wmi.EnumValues(2147483650,"Software\Wow6432node\Microsoft\Windows\CurrentVersion\RunOnce")).sNames){"$($computer),x64RunOnce,$($name),"
>  `
> + $(($wmi.GetExpandedStringValue(2147483650,"Software\Wow6432node\Micros
> + `
>  oft\Windows\CurrentVersion\RunOnce",$name)).sValue) `
> | Out-File c:\windows\temp\RegValues.csv -Append}
>  }
>
> -----Original Message-----
> From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] 
> On Behalf Of Kurt Buff
> Sent: Friday, March 20, 2015 3:32 PM
> To: powershell@lists.myitforum.com
> Subject: Re: [powershell] Scripting registry queries
>
> Matt,
>
> The only output I get from your script is the column headers, and no errors. 
> I've copied it below, reformatted slightly, for my own comprehension - so I 
> might have munged it somehow in the copying to my PS ISE session. (Of course, 
> I changed it to C:\temp instead of C:\Windows\Temp).
>
> $Computers = get-adcomputer -filter { name -like "us-it*" } | select Name
>
> #put column names on csv file
> Out-File c:\temp\RegValues.csv -InputObject 
> "ComputerName,RegistryKey,Name,Value" -Append
>
> foreach($computer in $Computers.Name)
> {
>  $wmi=[wmiclass]"\\$($computer)\root\default:stdRegProv"
>
>  foreach($name in
> ($wmi.EnumValues(2147483650,"Software\Microsoft\Windows\CurrentVersion\Run")).sNames){"$($computer),Run,$($name),"
> + $(($wmi.GetExpandedStringValue(2147483650,"Software\Microsoft\Windows\
> + CurrentVersion\Run",$name)).sValue)
> | Out-File c:\windows\temp\RegValues.csv -Append}
>
>  foreach($name in
> ($wmi.EnumValues(2147483650,"Software\Wow6432node\Microsoft\Windows\CurrentVersion\Run")).sNames){"$($computer),x64Run,$($name),"
> + $(($wmi.GetExpandedStringValue(2147483650,"Software\Wow6432node\Micros
> + oft\Windows\CurrentVersion\Run",$name)).sValue)
> | Out-File c:\windows\temp\RegValues.csv -Append}
>
>  foreach($name in
> ($wmi.EnumValues(2147483650,"Software\Microsoft\Windows\CurrentVersion\RunOnce")).sNames){"$($computer),RunOnce,$($name),"
> + $(($wmi.GetExpandedStringValue(2147483650,"Software\Microsoft\Windows\
> + CurrentVersion\RunOnce",$name)).sValue)
> | Out-File c:\windows\temp\RegValues.csv -Append}
>
>  foreach($name in
> ($wmi.EnumValues(2147483650,"Software\Wow6432node\Microsoft\Windows\CurrentVersion\RunOnce")).sNames){"$($computer),x64RunOnce,$($name),"
> + $(($wmi.GetExpandedStringValue(2147483650,"Software\Wow6432node\Micros
> + oft\Windows\CurrentVersion\RunOnce",$name)).sValue)
> | Out-File c:\windows\temp\RegValues.csv -Append}
>  }
>
> On Fri, Mar 20, 2015 at 9:53 AM, Kelley, Matthew <kelle...@med.umich.edu> 
> wrote:
>> I understand. Give this a shot:
>>
>>
>> $Computers = get-adcomputer -filter { name -like "us-it*" } | select
>> Name
>>
>> #put column names on csv file
>> Out-File c:\windows\temp\RegValues.csv -InputObject
>> "ComputerName,RegistryKey,Name,Value" -Append
>>
>> foreach($computer in $Computers.Name)
>> {
>>
>>  $wmi=[wmiclass]"\\$($computer)\root\default:stdRegProv"
>>  foreach($name in
>> ($wmi.EnumValues(2147483650,"Software\Microsoft\Windows\CurrentVersion
>> \Run")).sNames){"$($computer),Run,$($name)," +
>> $(($wmi.GetExpandedStringValue(2147483650,"Software\Microsoft\Windows\
>> CurrentVersion\Run",$name)).sValue) | Out-File
>> c:\windows\temp\RegValues.csv -Append}  foreach($name in
>> ($wmi.EnumValues(2147483650,"Software\Wow6432node\Microsoft\Windows\Cu
>> rrentVersion\Run")).sNames){"$($computer),x64Run,$($name)," +
>> $(($wmi.GetExpandedStringValue(2147483650,"Software\Wow6432node\Micros
>> oft\Windows\CurrentVersion\Run",$name)).sValue) | Out-File
>> c:\windows\temp\RegValues.csv -Append}  foreach($name in
>> ($wmi.EnumValues(2147483650,"Software\Microsoft\Windows\CurrentVersion
>> \RunOnce")).sNames){"$($computer),RunOnce,$($name)," +
>> $(($wmi.GetExpandedStringValue(2147483650,"Software\Microsoft\Windows\
>> CurrentVersion\RunOnce",$name)).sValue) | Out-File
>> c:\windows\temp\RegValues.csv -Append}  foreach($name in
>> ($wmi.EnumValues(2147483650,"Software\Wow6432node\Microsoft\Windows\Cu
>> rrentVersion\RunOnce")).sNames){"$($computer),x64RunOnce,$($name)," +
>> $(($wmi.GetExpandedStringValue(2147483650,"Software\Wow6432node\Micros
>> oft\Windows\CurrentVersion\RunOnce",$name)).sValue) | Out-File
>> c:\windows\temp\RegValues.csv -Append}  }
>>
>> When you open the csv with excel you will have to use the text to columns 
>> tool on the ribbon...
>>
>> I also changed the output path to windows\temp - just for testing on my 
>> machine. Works decent. Good luck!
>>
>> Matt
>>
>> -----Original Message-----
>> From: listsad...@lists.myitforum.com
>> [mailto:listsad...@lists.myitforum.com] On Behalf Of Kurt Buff
>> Sent: Friday, March 20, 2015 12:04 PM
>> To: powershell@lists.myitforum.com
>> Subject: Re: [powershell] Scripting registry queries
>>
>> Responses in-line...
>>
>> On Fri, Mar 20, 2015 at 5:37 AM, Kelley, Matthew <kelle...@med.umich.edu> 
>> wrote:
>>> Is this a one-time data capture, or something you need to do on a
>>> recurring basis?
>>
>> Recurring, minimum once a week.
>>
>>> Do you have any systems management software, like SCCM, in your
>>> environment?
>>
>> We have no systems management software, though we have an EA agreement
>> (my manager doesn't like SCCM - I have no experience with it, though
>> I'd love to get my hands dirty with it, and with SCOM, but we do have
>> PRTG, which would get very expensive if we tried to monitor
>> workstations with it.)
>>
>>> If not, do your machines run a startup script through Group Policies?
>>> The best solution would be SCCM or something similar, where you can
>>> easily inventory registry keys and wmi data. Second best would be a
>>> logon or shutdown script that mines this data and writes it to a
>>> network share that your computer accounts (domain computers in AD)
>>> have write permissions on.
>>
>> We have lots of people who never log off or shut down their machines, except 
>> when we patch (me included!). It will be better (IMHO) to have all of this 
>> gathered and processed in a more controlled fashion.
>>
>>> Then you would just need  a script to compile all these results into
>>> whatever format you want for viewing, like an excel spreadsheet.
>>> Having one machine open connections to all other machines in your
>>> environment is cumbersome, but it will work if some of the other
>>> options are unavailable, or if this is just a one-time event.
>>
>> I'm intent on building a management station, as a counterpart to our 
>> SecurityOnion installation. It'll be performing some other tasks as well - 
>> this is just the first step.
>>
>> BTW - if you're interested, the SANS webcast (which requires free
>> registration) is here:
>> https://www.sans.org/webcasts/seamless-continuous-monitoring-defend-or
>> ganization-cyber-attacks-99472
>>
>> Kurt
>>
>>
>> ================================================
>> Did you know you can also post and find answers on PowerShell in the forums?
>> http://www.myitforum.com/forums/default.asp?catApp=1
>>
>> **********************************************************
>> Electronic Mail is not secure, may not be read every day, and should
>> not be used for urgent or sensitive issues
>>
>> ================================================
>> Did you know you can also post and find answers on PowerShell in the forums?
>> http://www.myitforum.com/forums/default.asp?catApp=1
>
>
> ================================================
> Did you know you can also post and find answers on PowerShell in the forums?
> http://www.myitforum.com/forums/default.asp?catApp=1
>
> **********************************************************
> Electronic Mail is not secure, may not be read every day, and should not be 
> used for urgent or sensitive issues
>
> ================================================
> Did you know you can also post and find answers on PowerShell in the forums?
> http://www.myitforum.com/forums/default.asp?catApp=1
> **********************************************************
> Electronic Mail is not secure, may not be read every day, and should not be 
> used for urgent or sensitive issues
>
> ================================================
> Did you know you can also post and find answers on PowerShell in the forums?
> http://www.myitforum.com/forums/default.asp?catApp=1


================================================
Did you know you can also post and find answers on PowerShell in the forums?
http://www.myitforum.com/forums/default.asp?catApp=1

Reply via email to